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Abstract 

We show that for every effective left conjugacy closed left quasigroup, 
there is an induced rack that retains the conjugation structure of the left 
translations. This means that cryptographic protocols relying on conju- 
gacy search can be secure only if conjugacy search of left translations is 
infeasible in the induced rack. We note that, in fact, protocols based on 
conjugacy search could be simply implemented using a rack. We give an 
exposition of the Anshel-Anshel-Goldfeld protocol in such a case. 

Keywords: Cryptography, Left distributive, Conjugacy problem, Key ex- 
change 



1 Introduction 

A cryptographic key exchange protocol allows two or more parties to establish 
a common key using an insecure channel. The key can be subsequently used for 
secure transmission. Security of a key exchange protocol typically relies on a 
computationally hard problem. The conjugacy search problem (CSP) was first 
suggested for key exchange in the pioneering work by Anshel et al. [H Q] and Ko 
et al. 0. The CSP was later generalized in [8] for left conjugacy closed (LCC) 
loops as a partial conjugacy search problem (PSCP) allowing a wider class of 
platform structures. 

In this paper, we show that cryptographic protocols that rely on infeasibility 
of the CSP - or, as is in general the case, infeasibility of being able to conjugate 
with a secret element - actually rely on infeasibility of the PCSP in a rack (a 
left distributive left quasigroup). The rack is induced by conjugations of left 
translations of the underlying structure. Furthermore, the left translations of 
the rack retain the same conjugation structure for its left translations. This 
means that if an adversary can solve the PCSP in the induced rack, then she is 
able to conjugate with any element of the original structure. We suggest that 
any CSP based protocol could be implemented simply using a rack. The binary 
operation could be induced by group conjugation, conjugation of left translations 
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of an LCC loop or by a completely different left distributive binary operation. 
We give an exposition of the AAG protocol using a rack. The protocol can be 
seen as a further generalization of [5] . 

2 Preliminaries 

Let Q be a non-empty set with a binary operation * : Q x Q — > Q. We call Q 
together with * a magma and denote it by Q(*). A mapping L*(x) = a * x, 
where a,x £ Q, is called a left translation by a. We denote the set of all left 
translations of Q(*) by Lq. If L* a is a bijection for every a £ Q, then Q(*) is a 
left quasigroup. If there is no ambiguity about the binary operation, we leave 
it out and write simply L a , Lq and Q. 

We denote the application of a left translation L a to an element x by xL a . 
In this case, function compositions are worked out from left to right. That 
is, for example, xL a L b — L b {L a {x)). If Q is a left quasigroup, then the left 
multiplication group of Q, C = (L x : x £ Q), is the permutation group generated 
by the left translations. A left quasigroup Q{*) is left distributive if 

a * (b * c) = (a * b) * (a * c) 

for every a, 6, c G Q. It is idempotent if a * a = a for every a £ Q. A left 
distributive left quasigroup is called a rack [5J[51H]. If a rack is also idempotent, 
then it is called a quandle. An excellent survey of racks can be found in [S]. 

A left quasigroup Q is left conjugacy closed (LCC) if the set of left transla- 
tions is closed under conjugation. That is, if for every a,b £ Q there are c,d £ Q 
such that 

L~ x L h L a = L c (1) 
and LaLbL^ 1 = Ld- A rack Q is always LCC, since 

xL~ 1 L b L a = a(6(a;L~ 1 )) = (ab)(a(xL' a 1 )) = (ab)(xL^ a 1 L a ) = (ab)x = xL ab 

for every a,b £ Q. 

Let G be a group and let 6, c £ G be conjugate. Given b and c, the conjugacy 
search problem (CSP) is to find an element a such that 

a~ 1 ba = c. (2) 

If Q is a left quasigroup, then {2j is not meaningful, but we can consider the 
CSP in the left multiplication group. In this case, given conjugate permutations 
/3,7 £ L, the problem is to find an element a £ C, such that a" 1 (3a = 7. If 
Q is LCC, it is useful to restrict ourselves to the case (3 = £&,7 = L c . Given 
b,c £ Q, the problem is to find a, a composition of left translations and their 
inverses, such that 

a l L b a = L c . 

This is a partial version of the CSP (PCSP), originally described in [8] for LCC 
loops. (In [8], a was required to be a composition of left translations, but this 
is only a slight generalization.) 
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3 Conjugacy search and racks 

In this section, we shall consider the conjugation structure of the left translations 
of an LCC left quasigroup. In order that a conjugation by L a is unique, we need 
the following definition. 

Definition 1. Let Q be a LCC left quasigroup for which there exists a function 
X : Q x Q — ► Q such that 

L a 1 LbL a = L X ( a ,b) 

for every a,b 6 Q. The magma Q(X), whose binary operation is given by X, is 
called the left conjugation magma of Q. 

If there is no such a function, then we say that Q does not have a left 
conjugation magma. Structures for which such a function is defined include for 
example groups, LCC loops and LCC left quasigroups that are effective. A left 
quasigroup is effective if the left translations are pair-wise distinct, that is, if 
L a = Lb if and only if a = b. 

Proposition 1. Let Q be an effective LCC left quasigroup. If Q(X) is the left 
conjugation magma of Q, then Q(X) is a quandle. 

Proof. Q(X) is a left quasigroup if and only if L x : Q — > Q is a bijection for every 
x e Q. We shall first show that L x is injective. Suppose that X(x, a) = X(x, b). 
Now, 

L x L a L x = L x L{,L X , 

from which L a = Lb- Since the left translations are pairwise distinct, a = b, 
and L x is injective. 

If Q is finite, then L x is a bijection. However, if Q is infinite it is not 
immediately clear that L x is surjective. To prove this, we observe that every left 
translation L x of Q is an element of the symmetric group Sym (Q). Conjugation 
by L x in Sym(Q), 

°{t) = L x x tL x , 

for every r € Sym(Q), is an inner automorphism of Sym(Q). By the left 
conjugacy closedness of Q, 

L x 1 L y L x e Lq 

for every x,y S Q and ct(Lq) C Lq. Similarly, by LCC, ct _1 (Xq) C Lq and 
<*{ l q) = Lq. 

We shall now prove that Q(X) is left distributive. Let a,x,y G Q. We can 
write L x = L a L X { a ,x)L~ 1 and L y = L a L X ( a , v )L~ x ■ Now, 

L\(x, v ) = L x 1 L y L x — L a L x ^ ax ^L a 1 L a Lx(a,y)L a 1 L a Lx(a,x)L a 1 

= L a L x ^ ax ^Lx(a,y)L\{ atX )L a 1 
= L a L X (X(a,x)Ma,y)) L a 1 - 

That is, 

L\( a ,\(x,y)) = L a 1 Lx(x,y)L a = Lx(X(a,x),\(a,y)), 
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from which by pairwise distinctness of the left translations 

X(a, X(x, y)) = A (A (a, x), A(a, y)), 

and Q{X) is left distributive. 
In addition, 

L x L X L X = L\(^ x x ) = L x 
for every x £ Q and Q(X) is idempotent. □ 
Proposition 2. Let Q be an effective LCC left quasigroup and let 

a = Lt 1 L e n 2 ■■■ Li n , 

where n £ N and a, £ Q, ej 6 { — 1, 1} /or every i £ {1,2, ... , n}. If Q(X) is the 
left conjugation magma of Q, then 

a 1 L c a = L ca \, 

where a x = (L^)" 1 (L X 2 ) £2 • ■ • (L x J en . Furthermore, 

(a x )- 1 L x a x = L x aX . 

in Q(X). 

Proof. If a% £ Q, then L~^L c L ai — L cL \ and L ai L c L~^ = L C ^ L \ Since 
Q(A) is left distributive, (I^)" 1 ^^ = Z,*^ and L^L*)" 1 = L^-* 
The result follows from induction onn. □ 

By proposition [2 the left conjugation magma of Q retains the conjugation 
structure of the left translations of Q. Suppose that L c and Ld are conjugate 
in C. Suppose also that it is feasible to solve the PCSP in the left conjugation 
magma of Q. This means that it is feasible to find a x £ C x — (L x : x £ Q) 
such that (a A ) _1 L^a A = L^. By proposition [2J 

^xa x ~ & ^ L x Ct 

and we are able to conjugate any left translation of Q by a knowing a x . This 
is enough to break cryptographic protocols that are based on infeasibility of 
conjugating with a secret element. A necessary condition for the security of 
such protocols is the infeasibility of solving the PCSP in the left conjugation 
magma. In fact, protocols based on conjugacy search could be defined using a 
rack by conjugating its left translations. For example, if Q is a rack, then the 
AAG protocol can be implemented the following way. 
Suppose that the participants are Alice and Bob. Let 

Sa = {ai,a 2 , ■ ■ ■ , a s }, S B = {h,b 2 , ...b t } 

be two publicly assigned subsets of a rack Q. Let also 

£-A = {Lai i La 2 i ■ ■ ■ i La s ) i £-B = \Lbi ■ Lb 2 i ■ • • i Lb t ) 
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be the corresponding subgroups of C. Alice and Bob choose secret elements 
a G Ca and (3 € Cb, respectively, by randomly multiplying a finite number of 
generators and their inverses. Alice computes 

ci = b%a, c 2 = b 2 a, ... , c t = b t a 
and transmits c\, c 2 , ■ ■ ■ , Ct to Bob. Similarly, Bob computes 

ax(3,a 2 P, ■ ■ ■ ,a s /3 
and replies with the corresponding elements. For every 1 < i < t, 

Cj = b, t a L Ci = a~ 1 Li Ji a, (3) 

and Alice and Bob are able to compute j3~ 1 a(3 and a -1 (3a (or, rather a" 1 (3~ l a) , 
respectively. The common secret key is a^ 1 j3~ l a/3 € C It has to be infeasible 
to compute a given bi, ■ ■ ■ , bt and c±, c 2 , ■ . ■ , Ct- By Q, this is equivalent to 
solving a system of conjugacy equations of left translations in Q. 

It should be noted that the binary operation does not have to be induced by 
group conjugation. Any left distributive operation with bijective left transla- 
tions can be used. For example, if G is a group and / is an involutory automor- 
phism of G, then a*b = af(a^ 1 b) defines a rack on G. Similarly, if e is a central 
element of G and a * b = ab~ 1 ae, then G(*) is a rack. Other constructions of 
left symmetric racks from groups can be found in llOj . The platform structure 
does not need to be a group, however. Some examples arising from different 
constructions can be found, for example, in O 0] . Such racks possibly offer 
much harder partial conjugacy search problems than the racks that appear as 
conjugation magmas of groups. 
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